Forum Discussion

rafaelbn's avatar
rafaelbn
Icon for Cirrostratus rankCirrostratus
Dec 06, 2020

Diffie-Hellman "p" length 1024/2048 bits

Hey folks! Spoiler: very tricky question ahead!

 

On diffie-hellman negotiation (TLSv1.2 and TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher-suite to be more specific), the length of p (aka the size 1024/2048 bits) is dependent of just configuration or could the certificate issued influece it?

 

I ask this because I have two VS that share the same cipher-suites on the client-ssl profile but negotiate different sizes: one is 1024 and the other is 2048. And I read this K82014843 that BIG-IP is not supposed to use 2048 (as in it's not implemented) and to my surprised I'm getting 2048bits DH on my tests.

 

Any tips for me?

 

Thanks!

 

  • When it comes to handshake, the ciphers alone play role in negotiation. The certificate has no play here.

    The DHE suites are 1024 alone in F5, if you had seen a 2048 bit, It should have been ECDHE.

     

    Can you put a logging rule to confirm if it indeed was DHE suite and not ECDHE ?

4 Replies